Which of the following bucket policies will ensure that objects being uploaded to a bucket called ‘demo' are encrypted?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
The condition of"s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B is incorrect because the condition of "s3:x-amz-server-side-encryption":"aws:kms" should be StringNotEquals instead of StringEquals.
Options C is incorrect because an explicit deny should be used instead of an explicit allow.
Options D is incorrect because the condition of "s3:x-amz-server-side-encryption":"aws:kms" should be used.
For more information on AWS KMS best practices, just browse to the below URL:
https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdfThe correct bucket policy that will ensure that objects being uploaded to a bucket called ‘demo' are encrypted is option A.
Explanation:
The bucket policy is written in JSON format and consists of a set of statements that define the permissions and restrictions for the resources in the bucket. The policy statement contains the following elements:
In the given policy statements, option A has the following statement:
json{ "Sid":"DenyUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::demo/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"aws:kms" } } } Here, the "Effect" element is set to "Deny", which means that the specified action (s3:PutObject) will be denied. The "Principal" element is set to "", which means that the policy applies to all users. The "Action" element specifies the action that is being controlled, which is "s3:PutObject". The "Resource" element specifies the ARN of the bucket and all objects in the bucket, which is "arn:aws:s3:::demo/".
The "Condition" element specifies that the encryption type used for uploading objects must be AWS KMS. This is achieved by setting the "StringNotEquals" element to "aws:kms" for the "s3:x-amz-server-side-encryption" key. Therefore, if a user tries to upload an object to the 'demo' bucket without using AWS KMS encryption, the upload will be denied.
Option B has a similar policy statement but the "Effect" element is set to "Deny", which will deny all uploads to the 'demo' bucket regardless of the encryption type used.
Option C has an "Effect" element set to "Allow", which means that the policy will allow uploads to the 'demo' bucket. Therefore, this option does not ensure that the objects being uploaded are encrypted with AWS KMS.
Option D has the "Action" element set to "s3:PutObjectEncrypted", which is not a valid action. The correct action is "s3:PutObject". Therefore, this option will not work as intended.